Cybersecurity – it’s not just about Sony Pictures

Leading financial institutions in London and New York are planning a massive cyber-attack on their respective computer systems later this year, it’s been revealed.

However, this seeming Square Mile versus Wall Street grudge match is no bout of fiscal rivalry, it’s one outcome of a deal between President Barack Obama and U.K. Prime Minister David Cameron to challenge global cyberterrorism and curb hacking and increasing prevalent cybercrime.

Getting the world’s greatest financial institutions engaged in joint war games organised and run by the U.S. and U.K. governments show just how seriously Washington and Westminster are taking the threat. And with January’s World Economic Forum in Davos, Switzerland putting the threat of corporate cyber-attacks centre stage, the message is that no-one is immune from the threat.

But Northern Ireland public and private sector organisations needn’t nod in the direction of recent victims like Sony Pictures, eBay and JP Morgan and assume it couldn’t happen here – it can and it does and what’s more, it’s becoming more frequent and the costs are spiralling upwards.

PwC’s Belfast-based risk assurance and forensic technology teams are all too often called in after a cyber-catastrophe befalls an ‘it couldn’t happen to us’ corporate victim who has contemplated pillaged bank accounts or intellectual property theft. So, across Northern Ireland there is no shortage of local tales of woe.

staff at a SME not far from Belfast logged into their online banking system to find over £110k had been transferred to China.

a small local catering business and a care home both fell victims to "Ransomware" - software that encrypted the contents of their computers and server and demanded a ransom to get them back – aside from these two examples, PwC’s experience is that, generally nothing happens even when victims pay the ransom.

a manufacturing firm found another company in a different country has produced a nearly identical product after one other employees moved there – having stolen the designs and their intellectual property.

a NI firm's overseas client was contacted by an imposter pretending to be from the NI firm, persuading them to change the bank account details on file and make a payment of over £200k. This has damaged the NI firm's financial and business reputation and the only redress is through the courts – assuming they can identify the perpetrator.

Coinciding with the World Economic Forum at Davos, the organisers issued a report warning that failing to improve cyber-security would potentially cost the global economy a whopping $3 trillion. That warning was underpinned by PwC’s 18thAnnual CEO Survey - the keynote report that sets the tone of the World Economic Forum – where CEO’s fears over cyber threats demonstrated the most dramatic year-on-year increase of any concern.

And while attempts to introduce cybersecurity legislation in the US have been unsuccessful in recent years, the US Congress is currently considering legislation that could hold executive and management teams potentially legally liable for failing to establish “reasonable” capabilities in terms of creating and implementing cybersecurity policies.

Looking behind the headlines at how many cybersecurity breaches occur, hints at why US legislators are finger pointing at business. That’s because much of the data theft and financial misappropriation is preventable because it’s often an in-house problem. The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and undertaken by PwC, says that 31% of the worst security breaches identified were caused by human error, with a further 20% due to deliberate misuse of systems by staff.

So, while a cyberattack on Sony Pictures may make headlines across the world, it’s generally a combination of poor culture, lacklustre processes, careless staff and dishonest employees that combine to cause most of the trouble. Access to a wide range of technology is essential for almost every business to operate in a world dependent on the web but organisations must consider the risks and be confident in their capability to manage them if they are to escape the inevitability of fraud or cyberattack.

And that comes back, not to managing technology, but to managing people and processes. Companies need to get the culture right and provide training for staff on basic awareness when using company computers and mobile devices such as smartphones, iPads and USB keys. Everyone from the top down needs to understand that their assets – from intellectual property to cash in the bank – all have value and that’s why people want to buy or steal them.

The experience of PwC’s 100-strong UK forensic technology team, which is largely based in PwC’s Belfast office, is that cyber criminals have three objectives; to steal secrets, steal money or inflict reputational damage. The bitter experience of many of their clients is that these criminals – whether based thousands of miles away or sitting inside the organisation itself – mostly achieve at least one of the three objectives.

The PwC experience of just how this happens is summarised in the Information Security Breaches Survey 2014. It also confirms that small companies are almost as vulnerable as their big global organisations. Large organisations, according to the report, were successfully attacked on average 16 times over the previous year, with small organisations attacked on average 6 times, with the main breaches being:

Virus or malicious software infection - 73% of large and 45% of small organisations.

Attack by unauthorised outsider(s) - 55 % large and 33% small organisations.

Denial of service attacks – 38% large and 16% small organisations.

Network penetration by outsider(s) - 24% large and 12% small organisations.

So, what can the typical Northern Ireland business do to avoid, or at least reduce the risk, of becoming a victim? First, understand what you want to protect and then define the risk associated with protecting it. Who can initiate new customer accounts; are existing customers’ financial and trading details freely available; who can authorise online and banking transactions, who controls passwords, networks and IT access; where do designs, drawings and vital intellectual property reside and who can access them?

Equally important is deciding who is responsible. It’s not solely an IT issue – it’s a boardroom issue and if cybersecurity is not on the board’s agenda, then executives are ignoring that more than half of all IT security breaches are caused by staff.

And for businesses that really want to get to grips with cyber security, the Information Security Breaches Survey 2015 is now open. This looks at the nature and impact of information security breaches and trends year on year and can be accessed via the PwC website at: http://pwc.blogs.com/cyber_security_updates/

Finally, statistically around half of online business in Northern Ireland could become victims in the next 12 months – try to minimise your risk.

Craig McKeown (craig.l.mckeown@uk.pwc.com) and Cara McCrory (cara.l.mccrory@uk.pwc.com) are both directors with PwC in Belfast.